search

ContinuumIO / anaconda-issues

Anaconda issue tracking
646 stars 220 forks source link

Custom CA certificates and ca-certificates package #11947

Open sstallion opened 4 years ago

sstallion commented 4 years ago

I'm currently evaluating conda for managing a large development environment and I'm running into an issue dealing with custom CA certificates. For commands installed to the environment like curl, the system cacert.pem is eschewed for those provided by the ca-certificates package. The main issue we have is many of our tools default to using OpenSSL for resolving cacerts, so it's impractical (and in some cases impossible) to provide environment variables to change which bundles are used at runtime.

There does not seem to be a way to extend ca-certificates without modifying <env>/ssl/cacert.pem. Is there a better way to update cacerts than modifying this file directly?

Actual Behavior

Unable to verify internal resources when unmodified ca-certificates package is installed.

Expected Behavior

A method to provide additional certificates without modifying files provided by ca-certificates.

Steps to Reproduce

$ curl https://some.internal.host/, followed by failure to verify certificate without modifying <env>/ssl/cacert.pem.

Anaconda or Miniconda version:

conda 4.8.3

Operating System:
conda info
``` $ conda info active environment : /vagrant/.conda active env location : /vagrant/.conda shell level : 1 user config file : /home/vagrant/.condarc populated config files : /home/vagrant/.condarc conda version : 4.8.3 conda-build version : not installed python version : 3.8.3.final.0 virtual packages : __glibc=2.31 base environment : /opt/miniconda3 (read only) channel URLs : https://repo.anaconda.com/pkgs/main/linux-64 https://repo.anaconda.com/pkgs/main/noarch https://repo.anaconda.com/pkgs/r/linux-64 https://repo.anaconda.com/pkgs/r/noarch package cache : /opt/miniconda3/pkgs /home/vagrant/.conda/pkgs envs directories : /home/vagrant/.conda/envs /opt/miniconda3/envs platform : linux-64 user-agent : conda/4.8.3 requests/2.23.0 CPython/3.8.3 Linux/5.4.0-42-generic ubuntu/20.04 glibc/2.31 UID:GID : 1000:1000 netrc file : None offline mode : False ```
conda list --show-channel-urls
``` # packages in environment at /opt/miniconda3: # # Name Version Build Channel _libgcc_mutex 0.1 main defaults ca-certificates 2020.1.1 0 defaults certifi 2020.4.5.1 py38_0 defaults cffi 1.14.0 py38he30daa8_1 defaults chardet 3.0.4 py38_1003 defaults conda 4.8.3 py38_0 defaults conda-package-handling 1.6.1 py38h7b6447c_0 defaults cryptography 2.9.2 py38h1ba5d50_0 defaults idna 2.9 py_1 defaults ld_impl_linux-64 2.33.1 h53a641e_7 defaults libedit 3.1.20181209 hc058e9b_0 defaults libffi 3.3 he6710b0_1 defaults libgcc-ng 9.1.0 hdf63c60_0 defaults libstdcxx-ng 9.1.0 hdf63c60_0 defaults ncurses 6.2 he6710b0_1 defaults openssl 1.1.1g h7b6447c_0 defaults pip 20.0.2 py38_3 defaults pycosat 0.6.3 py38h7b6447c_1 defaults pycparser 2.20 py_0 defaults pyopenssl 19.1.0 py38_0 defaults pysocks 1.7.1 py38_0 defaults python 3.8.3 hcff3b4d_0 defaults readline 8.0 h7b6447c_0 defaults requests 2.23.0 py38_0 defaults ruamel_yaml 0.15.87 py38h7b6447c_0 defaults setuptools 46.4.0 py38_0 defaults six 1.14.0 py38_0 defaults sqlite 3.31.1 h62c20be_1 defaults tk 8.6.8 hbc83047_0 defaults tqdm 4.46.0 py_0 defaults urllib3 1.25.8 py38_0 defaults wheel 0.34.2 py38_0 defaults xz 5.2.5 h7b6447c_0 defaults yaml 0.1.7 had09818_2 defaults zlib 1.2.11 h7b6447c_3 defaults ```
sstallion commented 4 years ago

A brief update - I think I may have sorted out a possible solution. It looks like SSL_CERT_DIR is defined in the default conda openssl installation and points to <env>/ssl/certs/; if the CA certificate is placed in that directory (it may need to be created first) followed by a c_rehash <env>/ssl/certs (perl will need to be installed), this seems to resolve the issue.

This should be fairly easy to work into a custom package with a post-link script to run c_rehash.

If this is acceptable it might be worth documenting somewhere to save some time/frustration.

Thoughts?

Note: If you're curious what your OpenSSL environment looks like, issue:

$ python -c "import ssl; print(ssl.get_default_verify_paths())"
DefaultVerifyPaths(cafile='/vagrant/.conda/ssl/cert.pem', capath='/vagrant/.conda/ssl/certs', 
openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/vagrant/.conda/ssl/cert.pem', openssl_capath_env='SSL_CERT_DIR', 
openssl_capath='/vagrant/.conda/ssl/certs')
jvmncs commented 1 year ago

Bumping this. Our team uses mkcert for development, and anaconda makes that tool borderline unusable due to its global cert swapping.